Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Protecting your site by detection

You can find many articles in the web that cover how to prevent to get the target of getting hacked. But how do you actually detect that your site was compromised?

It's probably just a matter of time that you get hacked. And a WordPress plugin is never the solution since a plugin should support the site. In this presentation, I'm discussing the basics you can do with WordPress and which software you can use to prevent – and detect! – hacking.

  • Login to see the comments

Protecting your site by detection

  1. 1. CODEKITCHENMarko Heijnen Protecting your site by detection
  2. 2. Marko Heijnen • Founder of CodeKitchen • Lead developer of GlotPress • Core contributor for WordPress • Plugin developer • Organizer for WordCamp Belgrade • Using lots of (new) technologies
  3. 3. Recently lot’s of security issues got reported
  4. 4. Stats first 5 months of 2015 • 3 core security updates • Cross-site Scripting (XSS) due to the misuse of the add_query_arg() and remove_query_arg() functions • Cross-site scripting (XSS) vulnerability inside the popular JetPack plugin. and the default Twenty Fifteen theme because of genericons.
  5. 5. I almost got hacked
  6. 6. Not only your site but also your server
  7. 7. My server setup Loadbalancer Webserver 1 Webserver 2 Memcached Elasticsearch MariaDB
  8. 8. My server setup Public Private Loadbalancer Webserver 1 Webserver 2 Memcached Elasticsearch MariaDB
  9. 9. Do you know if you are currently hacked???
  10. 10. Protecting is silver
  11. 11. Detecting is gold
  12. 12. What can you detect
  13. 13. Detection of your install • Updates of WordPress, Plugins and themes • Failed login attempts • Security issues in plugins and themes • Security enhancements reported by core • List of plugins/themes you don’t use
  14. 14. Detection of the server • Updates of server software • Failed login attempts
  15. 15. Detection what is going on • Requests to plugins you don’t have (404’s) • Permissions of your folders/files • Check if files got changed (Core, plugins, themes) • Check if files got added (Core, plugins, themes) • What is in your uploads folder (PHP files)
  16. 16. How I do it
  17. 17. Software for security I use • modsecurity / UFW on every server (default blocks all) • fail2ban • apticron (only 1 per matching type) • apt-dater-host (in combination with apt-dater) • Own code
  18. 18. Apticron • Cronjob checking if there are updates • Mail you when there are updates • Can mail the total list or only new updates
  19. 19. Apt-dater and Apt-dater-host • Terminal-based remote package update manager • A tool to manage a lot of servers • Grouped same servers • Install and update packages
  20. 20. My server setup fail2ban modsecurity ufw apticron apt-dater-host ufw apticron (web1) apt-dater-host ufw apticron apt-dater-host Loadbalancer Webserver 1 Webserver 2 Memcached Elasticsearch MariaDB
  21. 21. Use WordPress to manage WordPress
  22. 22. Features • List all Linux packages • List all PECL updates • Shows if WP-CLI needs updating • Restart services
  23. 23. Features • List all WordPress updates • Ability to perform updates when allowed • Checksum scans • Upload directory scans • Doing backups • Send WP CLI command
  24. 24. List of all servers
  25. 25. List of all sites
  26. 26. General overview of a site
  27. 27. Security checks for the site
  28. 28. WP Central
  29. 29. WP Central API • http://wpcentral.io/api/ • First started with contributors • After that stats • Now creating checksums for plugins and themes • Soon similar functionality as wpvulndb.com
  30. 30. Node.js server • WordPress calls a microserver (nginx) • nginx calls node.js server • Returns the data when exists • Will return error when not and generates the checksums behind the scene
  31. 31. WP Central API • http://wpcentral.io/api/checksums/theme/ twentyfifteen/1.2 • [{"code":"wpcentral_server_error","message":"Gener ating checksums”}] • [{"file":"header.php","checksum":"c0919b5f4b6e4f3a 58b858b2305e9146"},{},{},{},{},{},{},{},{},{},{},{},{},{}]
  32. 32. WP-CLI
  33. 33. Ideas are more then welcome
  34. 34. Other solutions
  35. 35. Other solutions • VaultPress • ManageWP / WP Remote / InfiniteWP • Sucuri
  36. 36. There are WordPress plugins you could use But you should not trust that they do it all
  37. 37. The next steps
  38. 38. Log aggregation • Logstash • Fluentd • OSSEC
  39. 39. OSSEC • An Open Source Host-based Intrusion Detection System • Performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response • Works with a manager and agents • https://hackertarget.com/defending-wordpress- ossec/
  40. 40. Thank you for listening Questions? @markoheijnen markoheijnen.com
 
 codekitchen.eu

×